CPD article: Auditing culture – a case study by Barclays Bank
Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. Learn some practical tips from this Barclays case study.
Reading this article and answering these related questionscan count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
At a series of focus group meetings with ACCA members working in internal audit last year, ACCA found that culture is seen as a challenging and subjective topic but an area of interest for all members. In response to this feedback, ACCA UK’s Internal Audit Network invited Barclays Bank to present a webinar on how to audit culture.
Alison Smith - a director in Barclays Internal Audit – presented the webinar in February and this CPD article covers some of the highlights of the content. To listen to the full webinar and Q&A session, please click here to register.
Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. There are different approaches to auditing culture within the financial services sector, before you even consider approaches used in other industries. However, having a view of the Barclays approach may help readers to develop some ideas on what they can do in their own organisations. Any approach will need to evolve over time but it can be difficult to know where to start.
What is culture? There are many definitions of organisational culture but McKinsey coined arguably the most well-known over 50 years ago – ‘culture is the way that we do things around here’. That culture is driven predominantly by the attitudes and beliefs of the people that work within the organisation and is usually set at a high level within the organisation – the ‘tone from the top’.
Structurally, the espoused organisational culture and values tend to come down through organisational policy and standards. Barclays is not alone in having such values written down and communicated regularly both internally and externally. However, an organisational culture is much more than that – it means actually living those values (and the behaviours that are driven from those values) on a day to day basis.
The organisational culture determines the approach to risk management – the risk culture being the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation (Institute of Risk Management). For Alison, the risk culture is both a product of the organisational culture but also a determinant of overall organisational culture.
Fundamentally the culture is about doing the right thing – not because it is written down in those policies and procedures but because it is the right thing to do.
Why is culture important? Culture is important because the regulators say so, the IIA and ACCA say so, but most importantly, because poor organisational culture has been identified as one of the root causes of poor behaviour in corporates and has caused harm to both customers and reputation. Alison’s view is that managing culture is a vital issue for boards to ensure that not only are they setting the right tone at the top but that all employees are acting in accordance with their organisation’s ethics and values.
Within the financial services industry, stakeholders including regulators are keenly focused on culture within their observations and much has been written and researched by industry commentators, rule setters and implementers. The Group of 30 report Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform and the Financial Reporting Council’s report Corporate Culture and the Role of Boards are good examples. Investors have now taken a keen interest – just as they took an interest in CSR and organisations contributing to the community, investors are taking an interest in the cultural elements of an organisation.
In these reports there is considerable reference to the importance of having a strong three lines of defence within an organisation and the role of internal audit in assessing the culture, challenging it, and highlighting to management where there may be cultural failings.
Barclays approach The failings of culture within the financial services industry have been well documented. Barclays took a stand very early on in 2012 to look at a transformational programme. Part of that programme was around culture and values within the organisation and setting up a common purpose of ‘helping people to achieve their ambitions - in the right way’. The purpose is supported by five values – Respect, Integrity, Service, Excellence and Stewardship.
The transformation programme was about ensuring that these values were lived on a daily basis and not just espoused. The first activity that Barclays undertook to embed those values throughout the organisation was to have all 140,000 colleagues spend half a day talking about what those values meant – not from a theoretical perspective but what they meant to individuals. This allowed colleagues to engage with those values, consider whether they were values that they had personally as individuals, identifying which ones were challenging to fulfil on a day to day basis in their roles, and highlighting the ones they felt were particularly important for their role and area of the organisation.
The tone from the top was critical to its success - the chief executive and executive team provided time for all of the 140,000 colleagues to attend these courses so they could start to engage with those values. After that, Barclays built their values into all elements of the employee lifecycle from recruitment to performance management. Recruitment was not just based on what candidates could do but also the values that they held. Once the right people were recruited, their induction into the organisation reinforced the values that were important to Barclays.
Existing employees were helped to engage with the values through a change in the performance management process – objectives were set not just on what people would deliver but also how they would deliver, with a real focus on values. That involved educating employees and their managers, but it meant that employees were rewarded and incentivised on the basis of the values of the organisation.
Alison’s early thinking around culture started with a paper that was produced by the Financial Stability Board (Guidance on Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture) that highlighted four critical elements required to achieve cultural change and drive culture throughout an organisation. Open communication channels were critical, as was the tone from the top, so that people felt they were empowered to challenge and escalate. Accountability through clear roles and responsibilities, and incentives that reinforce the maintenance of desired risk management behaviour, were the other two critical elements highlighted as necessary for a sound risk culture.
It was recognised that colleagues would need support for difficult decisions where there was potential for conflicts of interest. As well as training on the values, colleagues were also trained in ‘the Barclays Lens’ – a decision making tool for assessing the impact of decisions on all stakeholders.
Why do we audit culture? Alison provided real life examples of how the culture of an organisation can overcome controls – illustrating why it is so important to audit culture. One example was the accident that happened on the Smiler ride at Alton Towers in 2015 – engineers failed to notice that a carriage had stopped mid-way around the ride. They assumed that there was a problem with the computer and over-rode the stop mechanism, setting another train in motion and into the empty carriage with tragic consequences. The culture overcame the controls in that example – a culture that did not give sufficient weight to warning signs to the point where it was felt that they could be ignored.
Who should do a culture audit? A culture audit is a different beast to auditing processes and controls, so there is a need to consider the skillsets that the internal audit function needs to be able to deliver those audits. With culture audits, observation of the behaviour of people is core. You can understand the culture either through surveys, through speaking with people, or through observation – some of the techniques used for assessing controls.
With that in mind, it may not take much additional training for internal auditors to be able to look at culture within an organisation. More important is having the right mind set – being open to thinking about what is happening within your organisation, why things work the way they do, and being able to challenge that. You could consider whether those skillsets already exist within the organisation – not just necessarily within internal audit – and whether it is possible to upskill people, or work in multi-disciplinary teams.
How do we audit culture? There are different ways to tackle audit of culture. Some organisations have gone down the route of bringing specialist skills into internal audit – such as organisational psychologists who may be able to help with understanding behaviours and the culture within an organisation. Another consideration under ‘how’ is whether there are certain areas that you might want to deep dive into to understand the subcultures within the firm, or at the other extreme, looking at it more globally in terms of what messages are coming from very senior colleagues.
Barclays internal audit approach During the transformation process, Alison was working in multi-disciplinary teams – principally risk, HR and compliance - on how they were going to start to think about culture and how they were going to measure the impact of the cultural change programme that was happening within the firm. An argument had to be made for why it was necessary to measure the impact – which was to know that the culture was changing in the way they wanted it to and that the values were really being lived on a day to day basis inside the business. That was the genesis of three-pronged Barclays internal approach as illustrated by the diagram below.
The first element was initially to audit the way that the business was thinking about how it would measure the cultural change. Now that there is a cultural measurement framework in place, it is about auditing that framework. Alison’s team has recently conducted the first review of auditing the measurement framework and that will be reported to the board. That audit was at a group level – over the next 12-18 months, her team will start to look at not just the measurement but also how that framework is being used and how the metrics provided by the framework are used.
The second element is around the drivers and enablers of cultural change – all the aspects around the employee life cycle mentioned earlier. It is possible to audit recruitment processes, the way that employees are inducted into the firm and the objectives that are set for people (is there anything within those objectives that may be contrary to the culture we are trying to establish?). Disciplinary and grievance processes can be audited and assessed for any indicators about organisational culture. Attrition levels within the organisation can also be assessed for any cultural reasons driving those attrition levels.
The final element is termed ‘audit everywhere’. For any standard business audit, a management control approach is conducted – so as well as giving an assessment for the control environment, the area is also assessed for its management control approach. This looks at risk culture and how effective management is in unearthing issues and then fixing them. It looks at their approach to risk management – to controls – and how they ensure that people within their part of the organisation really understand what their responsibilities are in relation to operating control and also escalating where controls are not working as they should do.
Regular reporting of the audit results to the audit committee ensure this is reviewed by the board.
Exploring behavioural observation tools Alison and her team are considering different ways to evolve their approach to auditing culture. With every approach, their aim is to ensure that they act as a true third line of defence rather than doing anything that would be expected of the first or second line. As part of evolving their approach, they are starting to explore techniques that can be used to better equip their auditors to observe behaviour – including the use of ethnography as promoted by the Banking Standards Board as a different way to observe culture. This is not necessarily another element but it is a possible means of improving assessment around their management control approach.
To listen to the full webinar and Q&A session, please click here to register.
ACCA culture-governance tool The ACCA culture-governance tool seeks to support organisations with their culture goals. ACCA developed this tool on the basis of research conducted since 2012 under a global initiative called Culture and channelling corporate behaviour. Under this initiative ACCA held a series of international roundtables in London, New York, Dubai and Bengaluru alongside a survey of ACCA’s global membership, to which close to 2,000 members responded. A number of reports were produced.
The ACCA culture-governance tool helps organisations to review culture and determine the course of change.
 Ethnography is the systematic study of people and cultures. It is designed to explore cultural phenomena where the researcher observes society from the point of view of the subject of the study. The resulting field study or case report reflects the knowledge and the system of meanings in the lives of a cultural group.